The purpose of this article is to highlight two very different digital identity strategies, as well as the various differences between a government-managed and a privatized solution. In this instance, the solutions that are presented here are from Europe and the United States.
One of the questions that arises within this article as we compare two contrasting eID strategies (government versus privatized), whilst acknowledging that a Citizens’ desire for privacy and security is paramount, is whether a citizen would be willing to give companies access to their personal data in exchange for a better user experience.
A background on the European eID Framework
An electronic identity (eID) is a means for individuals to prove their identity electronically in order to gain access to services. Within the European Union, a central authority - the Government, securely stores personal identifying data to issue physical ID documents. This is heavily relied on (and often taken for granted!). In turn, individuals trust their IDs and extend this trust into the digital world, where they use this information to gain access to a variety of services where identities must be proven, such as, making a payment, opening a bank account, applying for insurance, or proving your age.
The European Commission is implementing its 'digital Europe' strategy after announcing plans for a European Digital Identity and Wallet framework in early June 2021. To date, eIDAS has only focused on online identification, however the new proposal aims to extend it to the world of physical services. Within a data-driven, technical economy where services can be accessed from anywhere, lies the need for a safe and efficient identification process that builds trust among counterparties - the major drive is to provide customers with a frictionless experience when using services or buying products.
This initiative is carried out by the European Commission. This new eID strategy is built on the existing cross-border legal framework for trusted digital identities, the European electronic identification and trust services initiative (eIDAS Regulation), which was adopted in 2014. The eIDAS Regulation establishes the framework for cross-border electronic identification, authentication and website certification within the European Union.
Similar efforts are carried out at the national level in countries around the world including Singapore, Canada and China, rather than through private companies.
The EU Strategy towards a Digital Single Market - inside the Wallet
The European eID is operated via a digital wallet - the EU Wallet and will be available on mobile phones and other devices. The proposal will allow users to link their national digital identities with proof of other personal attributes, including drivers licences, medical records and bank accounts, for example. The ‘wallet app’ is downloaded to a mobile device and specific documents can be shared at the click on a button, allowing EU citizens to digitally identify themselves, store and manage identity data and official documents in an electronic format.
As a result, eIDs from different Member States are interoperable and accepted in other Member States, giving citizens new options and opportunities to use services across borders.
This strategy executes the vision and request of the European Council for EU-wide secure public electronic identification (eID), which would include interoperable digital signatures and give EU citizens control over their online identities and data.
Based on a chart from IR GLOBAL
The European Digital Identity Ecosystem
Based on a chart from European Commission
Example benefits are:
- Being able to control and prove a specific personal attribute without revealing the users identity or other personal details
- Strong security features when storing and applying for services - accessing a bank account, submitting tax declarations, accessing medical systems in other EU countries
- Proving that the user has a valid driving licence but not disclosing other personal details.
All of these services require strong user authentication and our earlier article about the European digital identity trust framework provides details on the required Digital Identity ‘Trust criteria.
However, the proposal has raised some concerns among EU lawmakers and privacy activists, particularly around entrusting our digital lives to the government as well as bringing all data and documents together in one repository creates the danger of hacks and identity theft.
The United States
Drivers licenses and state IDs are the most commonly used identity documents in the U.S. With 50 states (+territories) issuing uniquely designed credentials, validating an ID is authentic and has to be achieved by the bearer providing their identity - to add a mobile drivers licence (mDL) and other documents to Apple Wallets, users will have to take photos of their IDs, then undergo a face biometrics check with liveness detection capabilities. In this instance, it should be noted that the solution that is provided is ‘digitization of a physical ID’.
Apple announced in June 2021 that its users in certain U.S States will be able to store state-issued identification cards - a mDL or state ID - in the iPhone’s Wallet app. (The first state to officially roll out Apple’s digital driver’s license and state ID that can be used at selective checkpoints is Arizona.) As a result, questions have been raised about why local governments in the U.S are handing over control of their citizens' identities to Apple.
- Apple has the sole discretion for key aspects of the program, including types of devices that will be compatible with digital IDs.
- Apple has buy-in and final approval to the marketing that the States carry out.
- Government owned systems and identity credentials are now being made available for commercial purposes.
- The States have to ‘allocate reasonably sufficient personnel and resources’ to support the launch.
- The States have to agree to wide-ranging efforts designed to ensure the adoption of Apple’s digital IDs, including by offering the new feature “proactively” and at no additional cost whenever a citizen gets new or replacement identification cards.
- The burden of maintaining technology systems at taxpayer expense falls on the States, which ultimately benefits Apple and its shareholders by making its devices even more essential than they already are.
- Apple's goal is to make itself indispensable to its users, and Apple Wallet's new functions create further customer lock-in to the Apple ecosystem, potentially driving out Android devices.
What Apple's Secret Department of Motor Vehicles (DMV) Contracts Tell Us
Privatizing Identity - Separation of Powers
So should Governments and the Private Sector work together to advance digital identity? Individuals, government and private sector companies all have a vested interest in having trustworthy systems that enable end-user identity verification. For the end user, it is all about security of personal data and timely and efficient access to services and benefits.
Google have not moved forward with any particular development as to when an app would be available on Android devices that would allow the user to store drivers licenses or government IDs in the Identity Credential Store which may be because of concerns around security and ensuring that the right privacy framework is in place.
Or, as we can see from the relationship between the U.S and Apple, does this come at a cost to the taxpayer as well as enhanced security concerns around use and storage of personal data?
Implementation tracker map (Secure Technology Alliance)
BBC News - Apple digital ID scheme comes with conditions and costs
NPR - Apple iPhones Can Soon Hold Your ID. Privacy Experts Are On Edge
engadget - Apple has tight control over states' digital ID cards